About Author

Glyn Moody's look at all levels of the enterprise open source stack. The blog will look at the organisations that are embracing open source, old and new alike (start-ups welcome), and the communities of users and developers that have formed around them (or not, as the case may be).

Contact

Why Mozilla Was Right: GCHQ & NSA Track Cookies

During 2013, I’ve written a few articles about Mozilla's attempt to give users greater control over the cookies placed on their systems, and how the European arm of the Interactive Advertising Bureau (IAB) tried to paint this as Mozilla "undermining the openness", or "hijacking" the Internet because it dared to stand up for us in this way. That makes this latest revelation from the Snowden treasure-trove of documents, published in the Washington Post, rather important:

The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using “cookies” and location data to pinpoint targets for government hacking and to bolster surveillance.

The agency’s internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better serve them advertising, the technique opens the door for similar tracking by the government. The slides also suggest that the agency is using these tracking techniques to help identify targets for offensive hacking operations.

In other words, it’s not just tiresome advertisers that are tracking your every move, it’s the NSA (and our own dear GCHQ plus a few Russian and Chinese spy agencies too....). Here’s how:

According to the documents, the NSA and its British counterpart, GCHQ, are using the small tracking files or “cookies” that advertising networks place on computers to identify people browsing the Internet. The intelligence agencies have found particular use for a part of a Google-specific tracking mechanism known as the “PREF” cookie. These cookies typically don’t contain personal information, such as someone’s name or e-mail address, but they do contain numeric codes that enable Web sites to uniquely identify a person’s browser.

In addition to tracking Web visits, this cookie allows NSA to single out an individual’s communications among the sea of Internet data in order to send out software that can hack that person’s computer. The slides say the cookies are used to “enable remote exploitation,” although the specific attacks used by the NSA against targets are not addressed in these documents.

This shows the incredible foresight and absolute wisdom of Mozilla’s work here: it is vital that we have total control over the cookies being placed on our systems. Indeed, in the light of the NSA spying, I suggest we must flip the current model: henceforth, all cookies should be blocked by default, and a curated whitelist used for those that are permitted.

Yes, setting up whitelists is a pain, and blocking all cookies will be inconvenient, but it’s a question of relative importance: are you really prepared to barter your privacy and freedom just to make it easier to buy stuff online?

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Login

Not a member yet?

Register for a Computerworld UK Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.Register